Nik Patel's SharePoint Worldhttp://nikpatel.net
Logs from the FieldMon, 16 Feb 2015 22:32:58 +0000enhourly1http://wordpress.com/http://1.gravatar.com/blavatar/f0bac244bc573e7dd2ab9db8d5342277?s=96&d=http%3A%2F%2Fs2.wp.com%2Fi%2Fbuttonw-com.pngNik Patel's SharePoint Worldhttp://nikpatel.net
Mapping Network Drive for Office 365 and SharePoint Onlinehttp://nikpatel.net/2014/12/23/mapping-network-drive-for-office-365-and-sharepoint-online/
http://nikpatel.net/2014/12/23/mapping-network-drive-for-office-365-and-sharepoint-online/#commentsTue, 23 Dec 2014 17:23:44 +0000http://nikpatel.net/?p=3998Continue reading →]]>If you are trying to map the network drive to SharePoint Online document library or any other libraries like Master Page Gallery for design manager from your windows explorer and if you come across this error – “The Mapped Network Drive could not be created because the following error has occurred: Access Denied. Before opening files in this location, you must first add the web site to your trusted sites list, browse to the web site and select the option to login Automatically.”, here are some options and reference blog articles I have tried to make it work.

Prerequisites: To configure WebDEV for SharePoint online sites, I needed to ensure I have following options configured on my desktop, IE, and SharePoint Online sites in addition to 32-bit Office 2013 professional plus edition. Although I haven’t tested, my understanding is WebDEV doesn’t work for 64-bit Office 2013 edition.

Add SharePoint Online Site URL to the trusted site on the IE. You can optionally trust all the SharePoint Online sites by adding https://*.sharepoint.com.

Make Sure WebClient windows service is running under Local Service account. This is the WebDEV service running on the windows desktop making SharePoint online libraries available through windows explorer or any other windows client utilities. E.g. if you are planning to sync OneDrive for Business to your OneDrive client and sync doesn’t work, you may want to ensure this service has started.

Uncheck “Enable Protected Mode” for internet zone in the IE.

Check “Keep me signed in” while logging into the SharePoint Online site

Make sure user has atleast contribute permission to the SharePoint Online site, document library, or galleries. In my case – user has site collection administration permission.

Verification: Once you have all the options configured properly, plan to login to the SharePoint Online site using internet explorer. At this moment, you can follow similar steps as above (in situation section) to map the network drive from windows explorer and you should be able to map the SharePoint online libraries.

You can also optionally visit any document libraries or predefined galleries like master pages and open the library using “Open with Windows Explorer” option.

This is one of those personal reminder/reference articles for me. This seems like fairly common configuration required for SharePoint Online designers. Although each configuration may require different solution depending on desktop operating system, browser version, and office version, hopefully some of the pointers mentioned in this article would be helpful. If you come across different solution for different scenario, please don’t forget to drop the note and your resolution in comments section!!!!

Filed under: Office 365, SP2013 Online]]>http://nikpatel.net/2014/12/23/mapping-network-drive-for-office-365-and-sharepoint-online/feed/0nikspatel234578910111414_414_51920Renew expired ADFS Token Certificates for ADFS 2.0 and SharePoint 2013 On-Premiseshttp://nikpatel.net/2014/12/22/renew-expired-adfs-token-certificates-for-adfs-2-0-and-sharepoint-2013-on-premises/
http://nikpatel.net/2014/12/22/renew-expired-adfs-token-certificates-for-adfs-2-0-and-sharepoint-2013-on-premises/#commentsMon, 22 Dec 2014 21:34:28 +0000http://nikpatel.net/?p=3952Continue reading →]]>Over the last weekend, I was in the process of restoring my SharePoint 2013 farm VMs on Windows Server 2008 R2 built over the last year. My goal was to restore and start adding additional pieces in the complex SharePoint 2013 farm including office web apps and provider hosted apps environment. To my shocking surprise, both ADFS and SharePoint seem dead as I was trying to test the pulse of the baseline restored working environment.

During the testing of ADFS sign in page – https://adfs.niks.local/adfs/ls/IdpInitiatedSignon.aspx, I came across ADFS generic error message and upon further investigating on the event logs, it didn’t take me long to see both ADFS token-decrypting and token-signing certificates were expired. As you can see from following screens, ADFS certs were expired on July 2014 while restoring these VMs in December 2014.

Solution was straightforward. Renew the ADFS token-decrypting and token-signing certificates and update ADFS token-signing certificates in the SharePoint. As it happens with most of the things in SharePoint world, there is no end-to-end real world guide and I had to look up various different articles to come up with the correct process.

This whole research and restoration process took me more than few hours (including documentation) and there is no reason to waste that research and use as future reference if I ever need it again. That’s the true inspiration for this blog article.

Renew ADFS 2.0 Token-decrypting and Token-signing certificates
Usually these certs gets renewed automatically every year in production 24×7 environment if automatic certificate rollover is enabled (default ADFS setting to renew every 365 days) but since VMs were shut down, there was no way ADFS would renew those certs upon restoration process.

To renew both token certificates, you would require to load ADFS 2.0 PowerShell module on Windows Server 2008 R2 and run Update-ADFSCertificate command with urgent switch to force certificate renewals. Please note that Urgent switch will rollover certs immediately and removes older certificates right away. If your certs aren’t expired, it may result into temporary service outage.

You can login to the one of the ADFS server as an administrator and run Windows PowerShell commands as an administrator.

Add-PSSnapin Microsoft.Adfs.PowerShell
Update-ADFSCertificate -Urgent

Alternatively you can run following command to specify specific certificate type. e.g. to renew only ADFS-signing certificate, you would run following command. Valid certificate types are “Token-Encryption” or “Token-Signing”.

Update-ADFSCertificate -CertificateType Token-Signing -Urgent

After running ADFS commands, it should refresh the certs for another year. As you can see from following screen, ADFS certs are renewed for another year until 12/21/2015. Alternatively you can change CertificateDuration by running Set-ADFSProperties to set the long duration. For the security best practices (even in development environment), it is nice to follow standard ADFS 1-year certificate renewal best practices.

If you are trying to access ADFS IDP sign in page, you may result into same error. This step would require restarting the ADFS windows service and you should have working ADFS environment.

Restore ADFS 2.0 and SharePoint 2013 On-Premises Federation

Since ADFS token-signing certificate was expired, if you are trying to access SharePoint, it may result into ID4220 – SAML assertion error due to invalid certificate stored in the SharePoint cert store.

You would require to export the ADFS token-signing certificate from the ADFS server. It is important to note that newly generated ADFS certificates may not be trusted. You must trust these certificates in the trusted root certificate authorities store on the ADFS server prior to exporting them for SharePoint import.

Once ADFS certificate is trusted, you can export the cert and copy it over to the one of the SharePoint server (preferably server running on central administration) where you can run SharePoint PowerShell commands.

It is important to note that once you copy over ADFS token-signing certificate, it may not be locally trusted on the SharePoint server. You must make sure this cert is added to the local trusted root certificate authorities store on the SharePoint server where you are planning to import into SharePoint store. If you import invalid certificate, you may get error “The root of the certificate chain is not a trusted root authority”.

Next step is to run the SharePoint PowerShell command as an administrator on one of the SharePoint servers in the farm where ADFS token-signing certificate is trusted. Please note that you need to run these commands only once in one of the servers in the farm. No need to run on each and every SharePoint server in the farm.

You can run the Get-SPTrustedIdentityTokenIssuer to verify that certificate thumbprint and expiration date matches the renewed ADFS federation trust. Additionally, please verify if new ADFS token-signing certificate is uploaded on the SharePoint trust store from the central administration screen. If it isn’t, you can manually upload the certificate. If trust page doesn’t show valid certificate, SharePoint will throw similar error – “The root of the certificate chain is not a trusted root authority”

Last but least step, you must verify SharePoint access using ADFS federation and you should be able to login successfully.

Hope this saves some time for someone who is trying to accomplish similar tasks.

Filed under: ADFS, SharePoint 2013, SP2013 Admin]]>http://nikpatel.net/2014/12/22/renew-expired-adfs-token-certificates-for-adfs-2-0-and-sharepoint-2013-on-premises/feed/0nikspatel123-54-2-14-4-15-6-Alternative Version6-16-56-66-76-87-47-57-29-19-29-39-49-59-69-79-89-99-109-119-129-139-1410-59-15-Copy over to App Sever9-16-reimport on local App cert store and make sure it's valid10-110-310-610-710-8Nik’s SharePoint Fest 2014 Chicago Session Deck is Availablehttp://nikpatel.net/2014/12/14/niks-sharepoint-fest-2014-chicago-session-deck-is-available/
http://nikpatel.net/2014/12/14/niks-sharepoint-fest-2014-chicago-session-deck-is-available/#commentsSun, 14 Dec 2014 19:37:27 +0000http://nikpatel.net/?p=3947Continue reading →]]>Thanks for everyone who has made to my session at the SharePoint Fest Chicago 2014. I was really surprised with turnout for advanced IT Pro session. I had a great fun walking attendees through what are pre-requisites and detailed steps required to configure SharePoint Hybrid solution from beginning to end and what are the different gotchas they should be avoiding.

As promised, here is my session deck available through Slide Share. Feel free to download and reach out to me if you have any questions. Please watch out for this space as I am planning to build this presentation with advanced features like OneDrive for Business, Yammer, BCS, Record Management, and Apps for SharePoint hybrid walkthroughs in 2015.

Additionally, I had a great time spent with the SharePoint Community and Slalom team at SharePoint Fest and if you are in Chicago, this is one of the most premier events for SharePoint and Office 365 professionals!!

Filed under: Office 365, SharePoint 2013, Speaking]]>http://nikpatel.net/2014/12/14/niks-sharepoint-fest-2014-chicago-session-deck-is-available/feed/0nikspatelSpeaking on End-to-End SharePoint Hybrid Deployment Configuration Blueprint at SharePoint Fest Chicago 2014http://nikpatel.net/2014/11/08/speaking-on-end-to-end-sharepoint-hybrid-deployment-configuration-blueprint-at-sharepoint-fest-chicago-2014/
http://nikpatel.net/2014/11/08/speaking-on-end-to-end-sharepoint-hybrid-deployment-configuration-blueprint-at-sharepoint-fest-chicago-2014/#commentsSat, 08 Nov 2014 22:35:47 +0000http://nikpatel.net/?p=3939Continue reading →]]>I am privileged to be invited as featured speaker at this year’s SharePoint Fest Chicago on Dec 8th. Slalom Consulting is once again proud to be Platinum Sponsor this year. I will be speaking on one of the most relevant and complex topics in the SharePoint world as hybrid deployments.

As organizations are maturing into their cloud investments and awe-inspiring Office 365 innovations, hybrid deployments are inevitable at times and organizations are forced to configure co-existence between SharePoint On-premises and SharePoint Online environment. Please attend SharePoint Fest and my expert level session walking through end-to-end configuration blueprint of SharePoint hybrid deployments.

SharePoint landscape is changing and moving towards cloud architecture as Office 365. As Microsoft investing heavily in cloud & devices services, are IT or business agile enough to stay ahead of the curve to adopt future trends and keep up with the Microsoft and industry pace? Do organizations have clear guidance and technical expertise on where to invest whether SharePoint on-premises, SharePoint Online, or SharePoint hybrid?

Nik Patel, Principal Consultant and SharePoint Lead Architect from Slalom Consulting will provide real-world guidance and recommendations of what are the major factors and workloads for organizations to stay on-premises or move it to the cloud. This session will provide end to end blue print of architecting different SharePoint and identity workloads in hybrid environment focusing on practical guidance on SharePoint 2013 On-Premises, Office 365 and SharePoint Online, ADFS, Azure Active Directory, Azure Active Directory Sync, and Windows Server 2012 Web Application Proxy configuration.

This is level 300 session focused on advanced SharePoint on-premises, cloud, and hybrid concepts for IT Pros and SharePoint Architects.

Major features & concepts covered in the session would be:

Decision tree for SharePoint Hybrid workloads – where to deploy which workload?

And.. if time permits.. many more – Hybrid Apps, Yammer redirection etc.

Hoping to see you there!!!!!

Filed under: Speaking]]>http://nikpatel.net/2014/11/08/speaking-on-end-to-end-sharepoint-hybrid-deployment-configuration-blueprint-at-sharepoint-fest-chicago-2014/feed/2nikspatelSPFest2014Status of SharePoint as Brand and Latest Microsoft Trends – Alternatives of SharePoint Workloadshttp://nikpatel.net/2014/11/06/status-of-sharepoint-as-brand-and-latest-microsoft-trends-alternatives-of-sharepoint-workloads/
http://nikpatel.net/2014/11/06/status-of-sharepoint-as-brand-and-latest-microsoft-trends-alternatives-of-sharepoint-workloads/#commentsThu, 06 Nov 2014 18:20:32 +0000http://nikpatel.net/?p=3934Continue reading →]]>Although it’s well-understood by seasoned SharePoint professionals and people who follows SharePoint and Office 365 recent announcements, it’s worth to note that many folks in the industry may not aware of where SharePoint is going and what are it’s alternative features. For a while SharePoint has been Swiss-army knife of various business workloads and known as jack of all trades and master of none.

In my most recent project assignment, I had a opportunity to perform an exercise to show where Microsoft is going with recent announcements and what are possible replacements or alternatives for SharePoint.

As of Nov 2014, if I have to summarize where we are going with SharePoint, it would be – “SharePoint is being decentralized as individual Office 365 services”, here is why and list of high level workloads:

Filed under: Office 365, SharePoint 2013]]>http://nikpatel.net/2014/11/06/status-of-sharepoint-as-brand-and-latest-microsoft-trends-alternatives-of-sharepoint-workloads/feed/0nikspatelFeatures Mapping of Google Apps for Business & Microsoft Office 365 Enterprise Cloud Serviceshttp://nikpatel.net/2014/06/24/features-mapping-of-google-apps-for-business-office-365-enterprise-cloud-services/
http://nikpatel.net/2014/06/24/features-mapping-of-google-apps-for-business-office-365-enterprise-cloud-services/#commentsTue, 24 Jun 2014 15:58:24 +0000http://nikpatel.net/?p=3919Continue reading →]]>Note: Since both Google Apps for Business and Office 365 are ever changing cloud services, please note that article is last updated on June 24th, 2014 and recent changes may not have reflected.

I have been recently tasked to analyze Google Apps for Business environment and provide recommendation to migrate Google Apps to Office 365 Enterprise services. One of the first tasks for any Office 365 professionals is to understand the Google Apps for Business features and how it’s mapped to the Office 365 Enterprise subscription features.

Here is the table which provides Google Apps for Business & Office 365 Enterprise Cloud Services Feature Mapping. I will plan to update and reflect future changes as needed.

In this article, we will install ADFS single server environment, configure ADFS 2.0 and SharePoint 2013 integration for two SharePoint web applications – Intranet.niks.local and my.niks.local, and resolve some of the issues with User Profile Sync service and Search Service Crawling due to ADFS 2.0 & SAML 2.0 integration. In addition to UPS and Search, there are issues like People Picker Resolve issues. This article does not cover resolving People Picker and how to write custom claims provider. Final list of ADFS 2.0 and SAML 2.0 issues with SharePoint 2013, please see here.

Step by Step ADFS 2.0 Install Guide on Windows Server 2008 R2

Pre-requisites

Prepare windows 2008 R2 VM and join domain

Service account – Niks\adfs_install, add this account as local admin on box

DNS A record – adfs.niks.local => ADFS server IP

Make sure all the AD user accounts/service accounts/admin accounts has Email property populated

Install the ADFS application from the downloaded file. Note, do not install the ADFS role in server Windows Server 2008 R2. That will install ADFS 1.0. ADFS 2.0 must be installed from downloader from Microsoft’s site.

To install ADFS 2.0, run ADFSSetup.exe as administrator, Use shift+right click on ADFS 2.0 Management and run as domain administrator

Federation server – For the “internal” domain-joined ADFS server, you will install the Federation Server role.

Uncheck the start ADFS 2.0 management snap-in when this wizard closes on the final page of installation, Uncheck the box when ADFS finishes. The CU 3 will be installed before the actual configuration of ADFS takes place.

Install ADFS 2.0 RU 3 Hotfix – Run Windows6.1-KB2790338-v2-x64 to update. The Hotfix may require a reboot of the server. Do so before continuing with additional configuration steps.

Prepare IIS for ADFS

Ensure Niks\adfs_install has access to CA and Web Server template

Request Domain cert – adfs.niks.local or Import the federation service URL cert on the Server. You can either import it directly into IIS, or into the Personal Store of the Local computer using the Certificates Snap-in in an MMC. The certificate needs to be in PFX format, with the private key when importing into the ADFS proxy servers. Accomplish this by first importing the cert into the server that created the CSR, then export it as a .pfx with the private key.

Update IIS bindings on default web site for 443 and run iisreset

Configure ADFS 2.0 Federation service

Run ADFS 2.0 Management Console, Use shift+right click on ADFS 2.0 Management and run as domain administrator

It is important to note that this article uses Email as ADFS login and requires mail attribute populated in AD. If you are using UPN, make sure you use UPN instead of Email through this article while creating relaying parties claim rules and registering SharePoint STS Provider.

It should work for both email (npatel@niks.local) and windows credential (e.g. Niks\npatel) format

Issues

Welcome menu shows “email”, not full name

Users can log with both email (npatel@niks.local) and windows credential (e.g. Niks\npatel) format

Multiple My Sites may be created (one for existing Niks\npatel (windows credential) and second for naptel@niks.local (ADFS credential))

Multiple User Profiles may be created (one for existing Niks\npatel (windows credential) and second for naptel@niks.local (ADFS credential)) – If you are logging in with ADFS, your incoming userid (email address) won’t match NTLM synced user profile, it would create another user profile on demand. Since SAML based email profile is not synced from AD, it doesn’t have properties like Name (preferred Name) with Full Name. This will cause email showing up in Welcome user control. Please note User Profile – Name property shows up in Welcome User control.

Configure ADFS 2.0 Login Page for SharePoint 2013

The ADFS default is to present a Windows popup box when the user is redirected there. This expects a login in the form of domain\user. As the user email address does not follow this pattern typically we want ADFS to present the user with a form – otherwise you may find that the user will not be able to login successfully.

To replace login prompt with form, only thing you have to do is change the sequence of local authentication type for ADFS server, On the ADFS server: Open IIS Manager, Expand the Default Site – adfs – ls, Right-Click the site and Explore to get to the web.config folder. Here we want to put the forms login above the integrated login. Swap the first two lines so that the localauthentication section looks like this:

Run the Full Profile Sync, It should have all the User Profiles in SAML format with additional properties like First Name, Last Name, and Full Name

Syncing Welcome User

There are two timer jobs – “User Profile Service Application – User Profile to SharePoint Full Synchronization ” and “User Profile Service Application – User Profile to SharePoint Quick Synchronization”, You can manually Full Sync or Quick Sync job to manually sync user profiles from Central Admin to Site Collections

Verify User Profile Implementation

User Profiles are created => All Service accounts in NTLM (Domain\User) format since they don’t have mail attribute populated in AD, All Users are in SAML format since all users have mail attribute populated in AD

Once you login with either NTLM credentials or Email in login prompt, It should create only 1 version of My Site (with domainUserID format, not email) and should show Full Name in Welcome User Control (after few minutes when site collection user list gets synced with My site user profiles)

That’s it. If you have made it so far, hopefully you have working environment for ADFS 2.0 and SharePoint 2013 on Windows Server 2008 R2.

Filed under: ADFS, SharePoint 2013, SP2013 Admin]]>http://nikpatel.net/2014/06/09/step-by-step-complete-guide-to-configure-adfs-2-0-integration-with-sharepoint-2013-on-windows-server-2008-r2/feed/2nikspatelADFS 2.0, SAML 2.0, and SharePoint 2013 – Limitations, Issues, and Workaroundshttp://nikpatel.net/2014/06/09/adfs-2-0-saml-2-0-and-sharepoint-2013-limitations-issues-and-workarounds/
http://nikpatel.net/2014/06/09/adfs-2-0-saml-2-0-and-sharepoint-2013-limitations-issues-and-workarounds/#commentsMon, 09 Jun 2014 10:19:27 +0000http://nikpatel.net/?p=3901Continue reading →]]>I have recently configured large SharePoint 2013 On-Premises farm with Windows Server 2008 R2 and ADFS 2.0. As we were configuring SharePoint 2013 and ADFS 2.0 integration, we came across various issues and limitations. This articles highlights list of all the ADFS 2.0 integration issues you may come across and various workarounds and approaches we had used.

ADFS Integration Issues => Fixes & Workarounds

Can be signed in with both domain\user and email formats in windows logon prompt

Work with ADFS team on customization of ADFS login Page – You can present Form UI than normal Windows Prompt UI

Hopefully this will help you aware of potential issues you may come across during planning phase instead of final QA or UAT phase. If I have missed any limitations of ADFS 2.0 and SharePoint 2013 integration, please feel free to add value by providing comments on this article.

In addition to many improvements in SharePoint 2013 WCM framework, Managed Navigation was promised to solve long standing SharePoint issue – Out of box cross-site collection global navigation. If you have been SharePoint veteran, you would know that structured navigation can’t span across multiple site collections and Managed metadata & centralized term store driven navigation can easily solve the cross-site collection issue since data are stored in centralized location instead of per site collection.

How to Configure Managed Navigation in SharePoint 2013

Configuring Managed Navigation in SharePoint 2013 is straightforward. You must meet following two per-requisites:

Enable Managed Metadata Service in the On-Premises farm, this is already enabled in SharePoint Online

Site collections must be configured to use Publishing framework.

To prepare term store for the Managed Navigation, you must enable term set to use for Managed Navigation. This will enable “Navigation” and “Term-Driven Pages” on the term set to set additional properties.

For each term in term set, you can specify Navigation Node Title, Navigation Hover Text, whether it’s visible in Global or Local Navigation, and Navigation Node Type and Navigation URLs.

After term set is prepared for Managed Navigation, you can enable Managed Navigation in the Site collection and specify which term set will be used for Site Collection Navigation. This step should conclude configuring Managed Navigation for given site collection.

Limitations of Managed Navigation in SharePoint 2013

As you can notice above, configuring Managed Navigation in SharePoint 2013 is straightforward and provides great no-code solution. With recent hatred for Full Trust Farm, Sandbox, or any kind of custom solutions, organizations are looking for no-code solutions and as I have mentioned earlier, Managed Navigation provided great promise to solve cross-site collection navigation. Many (including me) have tried to configure this navigation or used this approach without knowing its limitations and later decided to redesign with alternative, more-maintainable solution.

In this article, I will walk through some of the major limitations and why you must avoid this solution unless you are configuring Cross-Site Collection Navigation less than 10-15 site collections and deal with potential manual ongoing maintenance.

Limitation # 1 => 1:1 Relationship between Site Collection and Term Set

It is important to note that each term set can be associated with only one site collection at given time. In other words, it requires dedicated copy of term set for each site collection navigation. E.g. If you have 5 site collections, you must have 5 copies of same term set to use for 5 site collections navigation data.

If term set is already configured to use for Site Collection navigation and if you try to reuse same term set in another site collection, SharePoint will throw following warning and accepting it will disconnect term set from previous site collection before associating with current site collection: The selected term set is already used by another site: https://sitecollection.sharepoint.com, Before proceeding, you should go to the navigation settings for the other site and deselect the term set. If the other site is no longer accessible, you can continue and take over the term set. If you proceed, this will break the navigation settings for the other site — are you sure?

Limitation #2 => Managed Navigation can’t be secured or targeted to specific group

One of the great abilities of Structured Navigation was you can configure audience targeting or secure each menu item for specific audiences or SharePoint security groups. Unfortunately Managed Navigation can’t be secured or targeted to specific security group.

As we discussed earlier, you must have 1 term set for each site collection. If you have more than 1 site collection, you must have more than 1 term set dedicated to each site collection. To ensure, all the site collection uses same navigation menu items, there are two options available in SharePoint 2013 for replicating term sets. Regardless of which approach you may take, it will require manual maintenance of reconfiguring term sets due to propagation issues of primary term set to secondary term sets.

Reuse the first term set to create secondary term sets – If you plan to use reuse approach, as it name suggests, it copies primary term set terms to secondary term set and any subsequent changes in the primary term set won’t reflect in the secondary term set. To resolve this issue, every time there is change in primary term set, you must delete secondary term set and recreate & reconnect from site collection.

Create secondary set of term sets by pinning the primary term set – Although you can’t pin term sets, you can create secondary term set dependent on primary term set by pinning terms including children. Idea behind this option is any changes in primary term set including adding, removing, or modifying terms should propagate changes to the secondary term set. As always with majority of Microsoft technologies, there are always gotchas. Pinning will propagate adding new item, remove item, change title from primary term set to secondary term sets but doesn’t propagate URL or any other properties changes to secondary term sets. To resolve this issue, you must remove terms from secondary term sets and re-pin them including children.

As you can imagine from both approaches above (reuse or pin), it would work great if you have small number of static site collections. If you have large number of site collections, any changes in the primary term set terms including URLs will require recreating or reconfiguring term sets.

Please note that if you are still leaning towards this option and maintenance of term sets wouldn’t be an issue, I would prefer the second option because it would require repining only terms with children and wouldn’t require recreating term set and reconnecting from site collection navigation screen. I must add here that Microsoft ever fixes this pinning propagation issue in future release of product, many of us wouldn’t mind using this option even though it requires manual configuration of dedicated term set for each site collection.

To configure the second approach, you must start with creating new term set for secondary site collection. In our example, we will create second term set for HR site collection. For each parent term in term set, you can configure secondary term set by adding primary term set terms using “Pin Term with Children” option. You must use this option for each parent term in primary term set. In addition, you must configure secondary term set to use for Managed Navigation.

After configuring secondary term set, you can visit HR site collection and configure it to use HR term set. As long as all the site collection term set terms are synced, you should have working global cross-site collection navigation.

This is another one of those mind-boggling limitations of Managed Navigation. If you have enabled Managed Navigation at the site collection and while creating sub sites, if you are planning to inherit parent navigation, Managed Navigation doesn’t apply to sub sites automatically. To resolve this peculiar issue, you must open Navigation page from sub site settings page and click “OK” for to take in effect. Again, this is one of those gotchas Microsoft failed to pass through QA and UAT stage.

As discussed above, Managed Navigation does the great job of resolving long standing SharePoint Cross-Site collection Global Navigation issue but requires lots of manual maintenance and specific disciplined guidelines to work it correctly. This might be great alternative to expensive custom solutions. As with most of features in SharePoint 2013, there are tradeoffs and if no-code, out of box approach is your cup of tea and as long as you are aware of limitations, feel free to use this approach. I have just used this approach for one of the recent SharePoint Online intranet I had configured but warned our customer to redesign/reconsider this approach if they ever have more than 10-15 site collections.

Setting up SharePoint Online tenant with the best practices starts as soon as you sign up for Office 365 tenant (Part I of this article). Next step before configuring site taxonomy and provisioning user site collections are to configure least-privileged administrative accounts for SharePoint Online Administration.

In this article, we will walk through my personal best practices to configure SharePoint Online administrative access.

Before we configure SharePoint Online Administrators, it is important to understand the Office 365 and SharePoint Online administrative roles.

Security Roles in Office 365 and SharePoint Online

Office 365 Roles – Billing Administrator, Global Administrator, Password Administrator, Service Administrator, and User Management Administrator. Out of all these roles, most common role is Global Administrator.

SharePoint Online Roles – SharePoint Online Service Administrator – There is no specific role for SharePoint Online Administrator like Farm Administrator for On-Premises implementation. Any Office 365 Global Administrator with SharePoint Online License are considered as SharePoint Online Administrator.

Site Collection Level Roles – Site Collection Administrator, Same as SharePoint On-Premises

Site Level Roles – Site Owners, Site Members, Site Visitors, Same as SharePoint On-Premises

Security Groups in Office 365 and SharePoint Online

Office 365 Global Security Groups- These groups created by global administrator, by default all Office 365 global administrators are added to “Company Administrator” group, On premise AD groups can be mapped to the Global Security Groups when AD synchronization is configured. If you have many users and if they need to have permissions across more than one SharePoint Online Site Collection, this is preferred method.

SharePoint Online Site Security Groups- Same as On-Premises SharePoint

Prescriptive Guidance for SharePoint Online Administrative Management

Here are my personal best practices & prescriptive guidance to configure SharePoint Online Administrative accounts and how to manage Site Collection Administrative access. This usually falls into three major categories – SPO System Account, SPO Admins Group, and Configure SPO Admin access to the SPO Site Collections.

Step 1 – Create SharePoint Online Administrative System Account

One of the first steps is to create SPO administrative account. You should always plan to create this account as Cloud ID, E.g. sp_admin@yourdomain.onmicrosoft.com. Having this as Cloud ID, it allows you to access your tenant even if On-Premises ADFS environment is unavailable.

Some of the reasons why you would have this account are running workflows with elevated privileges requires permanent account, service account for excel data connections, service accounts for BCS, system account for migration tools, or SPO Power Shell script execution account.

You can provision new Cloud Account from the Office 365 Administration site. Click on the users and groups section to provision new account.

You must specify this account as Global Administrator. As mentioned earlier, There is no specific role for SharePoint Online Administrator like Farm Administrator for On-Premises implementation. Any Office 365 Global Administrator with SharePoint Online License are considered as SharePoint Online Administrator. Additionally, specify the real email address as Alternative Email Address for various reasons including system alerts or MS support communication.

Click Next and save SP_Admin account information. This account should be listed on the Office 365 Users and Groups page as Cloud ID.

Step 2 – Configure SharePoint Online Administrators Group

Standalone SPO administrative account is great for system administrative access but in reality, you would require to have SharePoint Online administrative access for the human accounts. Managing all the SharePoint administrative access from single place would allow ease of administrative account maintenance and usually it can be done by Office 365 Global groups.

You must always plan to create this group as Cloud Group e.g. “SharePoint Admins” and add SharePoint Administrative System Account (sp_admin) and any other human SharePoint administrators in “SharePoint Admins” group. Optionally, you can have this account as synced On-Premises AD Distributed or Security group but having this as Cloud group allows you to access your tenant even if On-Premises ADFS environment is unavailable.

You can provision new Cloud Group from the Office 365 Administration site. Click on the users and groups section to provision new account.

Create a new group called “SharePoint Admins” and add “SP_Admin” and any other human SharePoint administrator accounts in the group. This would allow you to have single place to manage all the SharePoint administrative access. You can have peace of mind that only accounts in this group would have SharePoint Site Collection and administrative access.

Click Next and save SharePoint Admins group information. This group should be listed on the Office 365 Users and Groups page as Cloud Group.

Step 3 – Configuring SharePoint Online Administrators Access

By default, OOB site collections are configured with “Company Administrator” as Primary and Secondary Site Collection Admins. “Company Administrator” are anyone who has Office 365 Global Administrator role assigned. Usually this is bad practice to have Company Administrator access to the SharePoint Online site collections. Usually Global Admins as Exchange or Lync administrators or any other Office 365 workload administrators shouldn’t have access to the SharePoint Online Admin site and SharePoint site collections.

To configure least privileged SharePoint Online site collection administrative access, standardize the practice or governance policy to have “SP_admin” Cloud ID as Primary Site Collection Administrator and “SharePoint Admins” Cloud Group as Secondary Site Collection Administrators for all site collections.

With “SP_Admin” Cloud ID and “SharePoint Admins” Cloud group are configured in previous steps, it’s time to lock down out of box and future SharePoint Site Collections with SharePoint administrative access. You can start locking down administrative access by accessing SharePoint Administration site (https://yourdomain-admin.sharepoint.com) and visit “Manage Administrators” page for all the Site Collections.

As you may notice, first time you try to configure SharePoint Administrators on the OOB site collections, “Company Administrator” are configured as Primary and Secondary Site collections. As discussed earlier, Company Administrator is in-built Office 365 role which includes all the accounts with Global Administrator role. It means, everyone including Exchange Administrator or any other Office 365 workload administrators would have administrative access to the SharePoint Online sites. This must be lock down with SharePoint Administrators.

To ensure all the SharePoint site collections and sites are managed by only SharePoint Administrators, plan to specify “SP_Admin” Cloud ID as primary site collection administrator and “SharePoint Admins” Cloud Group as secondary site collection administrators.

As you notice, after following above steps, if you visit site collection properties, you would able to see all the site collections would have “SharePoint Admin” and “SharePoint Admins” as site collection administrators.

Also, each site collection would have “SharePoint Admin” and “SharePoint Admins” as site collection administrators on the Permissions page.

Hope this guide provide you best practices and guidance on how to manage your SharePoint Online environment with least-privileged administrative access.